“Cara Install Let’s Encrypt dengan Nginx di Ubuntu 20.04 / Debian 11 / Linux Mint”
Daftar Isi
Pendahuluan
Let’s Encrypt adalah otoritas sertifikat gratis, otomatis, dan terbuka yang dikembangkan oleh Internet Security Research Group (ISRG) yang menyediakan sertifikat SSL gratis. Sertifikat yang dikeluarkan oleh Let’s Encrypt dipercaya oleh semua browser utama dan berlaku selama 90 hari sejak tanggal penerbitan.
Persyaratan
- Memiliki domain yang sudah di pointing ke server
- Ada akses ke root server
- Sudah install Nginx ->
Cara Install Nginx di Ubuntu 20.04 / Debian 11
Install Cerbot
sudo apt update sudo apt install certbot
Generate SSL
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Membuat Let’s Encrypt SSL certificate
- Buat direktori
sudo mkdir -p /var/lib/letsencrypt/.well-known sudo chgrp www-data /var/lib/letsencrypt sudo chmod g+s /var/lib/letsencrypt
- Buat konfigurasi
sudo nano /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
sudo nano /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
sudo nano /etc/nginx/sites-available/example.com.conf
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}
- Buat Symlink
sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/
- Restart service
sudo systemctl restart nginx
- jalankan cerbot untuk SSL domain
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
- Edit file config
sudo nano /etc/nginx/sites-available/example.com.conf
server {
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . other code
}
- Restart service
sudo systemctl reload nginx
Auto-renewing Let’s Encrypt SSL certificate
- tambahkan cron
sudo nano /etc/letsencrypt/cli.ini
deploy-hook = systemctl reload nginx
- test cron
sudo certbot renew --dry-run
Penutup
Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Cara Install Let’s Encrypt dengan Nginx di Ubuntu 20.04 / Debian 11 / Linux Mint. Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.